On 1 September 2025, the Failure to Prevent Fraud offence will take effect under the Economic Crime and Corporate Transparency Act 2023, changing how UK financial institutions manage fraud risk. The legislation holds banks, payment providers, and financial services firms accountable for fraud committed by employees, agents, contractors or other “associated persons” acting on their behalf.
This is a significant development that raises the bar for fraud prevention. Yet many financial institutions remain unprepared for the operational and cultural changes needed to meet the requirements of the new offence.
Go deeper with GlobalData
Expanding liability for financial institutions
The new offence covers a range of fraud-related crimes such as false representation and abuse of position. Its extraterritorial scope means UK-based customers or operations can trigger liability even if misconduct occurs abroad.
For multinational banks and payment providers, this heightens the need for comprehensive, group-wide risk assessments and coordinated fraud controls. A failure in a subsidiary, whether in Hong Kong, Luxembourg, or elsewhere, can now lead to consequences at the UK parent level.
Addressing the quiet threat of insider fraud
Insider fraud continues to be one of the most challenging threats for financial institutions. It occurs when individuals with legitimate access – staff, vendors or contractors – exploit their position to misappropriate funds, manipulate records, or bypass controls.
Traditional fraud detection tools often focus on external attacks, leaving blind spots for sophisticated insider threats. Real-time monitoring integrated into payment workflows is essential to detect suspicious behaviour early and intervene before losses occur.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataMeeting the reasonable prevention standard
To comply with the new offence, financial institutions must demonstrate they have taken reasonable steps to prevent fraud. The UK government outlines six core principles to guide this: risk assessment, proportional measures, top level commitment, thorough due diligence, clear communication, and ongoing monitoring.
In practice, this means:
- Documented, regular fraud risk assessments tailored to the institution’s specific exposure
- Targeted staff training focused on roles with heightened fraud risk
- Rigorous third-party due diligence and contract terms addressing fraud prevention
- Strong governance, control testing and audit trails to provide oversight and evidence of compliance
These measures are fundamental to both regulatory compliance and operational resilience.
Managing third-party risk in financial services
Financial institutions rely heavily on third-party vendors for services ranging from cloud infrastructure to customer support and analytics. Under the new offence, inadequate oversight of these providers can expose firms to legal and regulatory consequences.
As one of the six core principles outlined by the UK government, institutions must implement thorough due diligence processes that evaluate partners’ fraud controls and embed fraud prevention requirements contractually. Ensuring third parties meet these standards is critical to managing the institution’s overall fraud risk.
Technology as a linchpin of compliance
Technology will play a central role in helping financial institutions comply with the Failure to Prevent Fraud offence. They need modern fraud detection and prevention technologies that monitor behaviour in real time. Embedding controls at the transaction authorisation stage, between approval and message creation, can give institutions the ability to stop fraud attempts before they result in financial loss. This control enhances compliance while supporting operational efficiency and customer trust.
The Failure to Prevent Fraud offence signals a new era in UK fraud regulation. Financial institutions that act early, invest in modern fraud detection technologies, and treat compliance as an organisational priority will avoid regulatory penalties, and enhance their resilience and reputation. From identifying who poses a risk, to monitoring activity in real time, to building a culture where fraud prevention is everyone’s job; success will depend on strategy, investment and leadership. As the countdown to September continues, the time for decisive action is now.
Ruud Grotens is Head of Solution Consulting – Cybercrime and Fraud Risk Management, Bottomline
